A question on the security levels in .NET Admin

  • Hi All,

    In Administration > System > .Net Admin there is list of DLLs and each one has a security level of "Run in Sandbox" or "Fully Trusted". Could someone explain what these security levels are for and what the difference between the two options are please?

    Thanks

    Chris

     

  • Hi Chris,

    It has to do with the .NET trust levels you've got assigned to the individual add-on DLLs. Generally you'd leave an add-on running in a sandbox. Here's a couple of definitions that may help:

    Sandbox: A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

    Full Trust: Your code is allowed to do anything in the framework, meaning that all (.Net) permissions are granted.

    "Full-trust" is a .NET term used to indicate that it's not running in a reduced-privilege .NET sandbox. In .NET prior to 3.5 SP1, this included running from a network share (in the default configuration). It also includes running as a ClickOnce application that has not requested additional permissions, or in some other browser-based sandbox.Full-trust means it can do anything the user it is running as can do, not that is running as an administrator.

    Hope this helps,

    Rob

  • Hi Rob,

    Thanks for a very clear and concise explaination!

    Regards

    Chris

  • I know this is an old topic, but every now and then I get this error when loading a .Net DLL page:

        File not found: <full path and name of DLL>

        An error has occurred in a CRM .Net customization.  Please contact your vendor to resolve.

    The .Net log shows this:

    Class: CRMWrapper - Method: ExecWebPageNew - Error: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See go.microsoft.com/fwlink for more information.

    So my question is: how do I fix this problem?  Note that the page had been running fine and still runs fine in our development environment.

    Thanks for any help you can provide.

  • There's a known issue - not in CRM world but in the wider .NET world - where zipped files can cause this load exception.  Maybe you're deploying the assembly to your client in a zip?  If so then you're not the only one to find that it can cause a problem:

    https://resharper-support.jetbrains.com/hc/en-us/articles/207242905-CAS-policy-exceptions-during-CLT-running

    https://ardalis.com/untrusted-projects-and-blocked-files-in-visual-studio

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/4920652a-5681-4972-a724-58c7a71ecf87/blocked-dll-from-another-computer-quotan-attempt-was-made-to-load-an-assembly-from-a-network?forum=clr

  • Thanks Chris.  I tried the 'Unblock' approach on the ZIP file but still couldn't load my .Net assemblies.  To fix the problem, we had to ask IT to deactivate Windows Defender for the folder.  For some reason, they removed WIndows Defender from the server entirely, and then the DLL's worked.  The troubleshooting steps were:

    - in Windows Explorer, checked Properties > Security for one of the DLLs in the CustomDotNet folder

        - noticed a system pop-up message stating

               Your IT administrator requires a security scan of this item. The scan could take up to 10 seconds

    - bit of googling revealed it to be a Windows Defender meesage.  

        - superuser.com/.../your-it-administrator-requires-a-security-scan-of-this-item-what-item

    The article suggested reviewing the server's Event Log located at:

        - Event Viewer > Applications and Services logs > Microsoft > Windows Defender > Operational

    In there we found this message for each of the DLLs we tried to access:

        - Windows Defender Antivirus has uploaded a file for further analysis. Filename: ...